The Beastie Blog

gnome-keyring-daemon: couldn't allocate secure memory

Thursday, May 1 2014

Keep seeing the annoying message of “gnome-keyring-daemon: couldn’t allocate
secure memory to keep passwords or keys from being written to the disk” on
my FreeBSD system. And, it continues even after I had set
“security.bsd.unprivileged_mlock=1” back on December 20, 2013.

The default resource limit RLIMIT_MEMLOCK is 64k, which I would think is more
than sufficient.

So, it was time to research this problem in more depth.

Found that there’s a DEBUG_SECURE_MEMORY define to see how much memory its
trying to allocate. Which is trying to allocate blocks of 16k, which it later
refers to as pages. Thinking that its Windows that did memory pages that big?
Because most Unix/Linux systems use 4k (including my FreeBSD system), except
for Solaris which is 8k.

I tried change the constant to 4k, but this also failed.

I had skimmed the mlock(2) man page, where it had said:

Since physical memory is a potentially scare resource, processes are limited
in how much they can lock down. A single process can mlock() the minimum of
a system-wide ‘‘wired pages’’ limit vm.max_wired and the per-process
RLIMIT_MEMLOCK resource limit.

If security.bsd.unprivileged_mlock is set to 0 these calls are only
available to the super-user.

Well, on my system vm.max_wired is 1323555 and RLIMIT_MEMLOCK (ulimit -l) is 64 (kilobytes.)

Wrong. Delving into the Kernel source, I found that it first checks that
the per-process limit, and then that the requested amount + the amount already
wired system wide (r/o sysctl vm.stats.vm.v_wire_count) is not greater than
vm.max_wired.

Well, when I looked at vm.stats.vm.v_wire_count, it was 2020311... its already
got more than vm.max_wired` wired!

I feel a PR coming on….

132555 (which is about 5GB) is said to be 1/3 of some maximum…its a 16GB
system, probably some number less than contiguous to allow paging & I/O.
2020311 is about 7.7GB.

So, I did a “sysctl vm.max_wired=2097152” (8GB), and it took it (so I added it
to /etc/sysctl.conf, too.) and now gnome-keyring-daemon can start without
that message.